>>>>> On Wed, 20 Dec 2006 10:13:55 +0100,
      Matthias Drochner <M.Drochner@fz-juelich.de> said:

> static int
> askhelper(const char *user, const char *pass)
> {
[snip]
> 	rpid = waitpid(pid, &s, 0);
> 	if (rpid != pid)
> 		return (errno);
> 	if (WEXITSTATUS(s))

Isn't it better to change this to the following, just to be sure?:
	if (!WIFEXITED(s) || WEXITSTATUS(s))
		return (some error code as christos said);

[snip]

> 	pwent = getpwnam(argv[1]);
> 	if (!pwent || (pwent->pw_uid != getuid()))
> 		return (EPERM);

I really like this part, because this effectively prevents any brute
force attack, unlike the equivalent feature of the BSD auth framework. 

With the BSD auth in OpenBSD, an attacker can try arbitrary users'
passwords via setuid BSD auth modules.  But with your implementation,
an attacker only can try the password of the attacker himself.
IMHO, this is more secure than the BSD auth.
-- 
soda